Le mar 23/12/2003 à 14:19, Chris Brenton a écrit : > > -A INPUT -p tcp ! --syn -m state --state NEW -j LOG > > --log-prefix "New not syn:" > iptables -A INPUT -p tcp ! --tcp-flags SYN SYN -m state --state NEW -j > LOG --log-prefix " New not syn: " "--syn" is equivalent to "--tcp-flags SYN,RST,ACK SYN" I can confirme that iptables-save generates a --tcp-flag line : cbr@elendil:~$ sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG cbr@elendil:~$ sudo iptables-save # Generated by iptables-save v1.2.8 on Tue Dec 23 14:44:17 2003 [...] *filter :INPUT DROP [529:81210] [...] -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG So, for the OP (ads nat) : you seem to have modified your ruleset by hand and used a alias (--syn) that iptables-<save/restore> does not understand. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
